Malicious RTF — malware analysis report

Static analysis result for SHA-256 683e87056b36f456…

MALICIOUS

RTF

87.4 KB First seen: 2020-09-07
MD5: de87e3c58acee7a5d15b9d34b7d1f46e SHA-1: 80bba5804a550255b7ff37c4c6441b1c7123b5a9 SHA-256: 683e87056b36f4565754a783a01678c7299a53d3bc0b7f2043beac9d32eb644b
60 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains embedded OLE object data and triggers an \objupdate heuristic, indicating an attempt to exploit a vulnerability for client execution. The presence of OLE object data suggests the file is designed to be opened in an application like Microsoft Word, which could then be leveraged to download and execute a secondary payload. Without further script or body content, the exact nature of the payload and delivery vector remain unclear, but the exploit attempt is evident.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000137a.bin rtf-objdata-decoded RTF \objdata at offset 0x137A 25339 bytes
SHA-256: 02c613a29d984bb1923bc03e69ad33322dc536d3aa5725e0e28ca37bfece2adf